Reverse Engineering Packet Structures Through The Client?

Page 2 of 2 FirstFirst 12
Results 16 to 27 of 27
  1. #16
    Member AcarX is offline
    MemberRank
    Aug 2015 Join Date
    79Posts

    Re: Reverse Engineering Packet Structures Through The Client?

    Reverse Engineering Packet Structures Through The Client?
    I appriciate all the help guys. I'd like to clarify my aim once again though. If possible I'd like to analyze packet structures through client instead being dependant on an online server. While I was messing around in IDA I found bunch of strings such as "Agpm::Character OnReceive(1) ..", "Agpm::Item OnReceive(1)". I believe Agpm stands for "Archlord game packet manager". Although I wasn't abled to make much sense of what was happening due to my lack of assembly knowledge.

  2. #17
    Member dTantra is offline
    MemberRank
    Jul 2013 Join Date
    94Posts

    Re: Reverse Engineering Packet Structures Through The Client?

    Quote Originally Posted by AcarX View Post
    I appriciate all the help guys. I'd like to clarify my aim once again though. If possible I'd like to analyze packet structures through client instead being dependant on an online server. While I was messing around in IDA I found bunch of strings such as "Agpm::Character OnReceive(1) ..", "Agpm::Item OnReceive(1)". I believe Agpm stands for "Archlord game packet manager". Although I wasn't abled to make much sense of what was happening due to my lack of assembly knowledge.
    If that is the goal, you are in for a long hard trip, as most games do not leave enough information to "easily" pull structure data from ASM.

    Most of the time it simply compiles the data for each opcode function and copies it to a reserved set of memory that was created based on the final packet size. That memory location is than usually pushed to whatever function handles the encryption if any is present.

    So really what you are looking at doing is a ton of reverse engineering to go step by step as a particular packet is received and handled to see what kind of data that it pulls off and an attempts to see what it does with that data. This is usually why people take large dumps of packets and analyze them so they can see the exact data in use and modify it as they need to see the desired effect.

    Ill use another game as an example.

    Here is the packet data for character deletion, decrypted of course.

    Code:
    12 00 18 05 02 00 00 00  06 33 34 35 33 34 35 00  ........  .345345.
    2E 1A                                             ..
    I know from working with the game for a few days that the opcode for the function is 0x0518

    Here is the function in game that creates that packet.

    Code:
    CPU Disasm
    Address   Hex dump          Command                                  Comments
    00818E10  /$  55            PUSH EBP                                 ; GDMO.00818E10(guessed Arg1,Arg2)
    00818E11  |.  8BEC          MOV EBP,ESP
    00818E13  |.  51            PUSH ECX
    00818E14  |.  894D FC       MOV DWORD PTR SS:[LOCAL.1],ECX
    00818E17  |.  68 18050000   PUSH 518                                 ; /Arg1 = 518
    00818E1C  |.  8B4D FC       MOV ECX,DWORD PTR SS:[LOCAL.1]           ; |
    00818E1F  |.  E8 DC86C0FF   CALL 00421500                            ; \GDMO.00421500
    00818E24  |.  8B45 08       MOV EAX,DWORD PTR SS:[ARG.1]
    00818E27  |.  50            PUSH EAX                                 ; /Arg1 => [ARG.1]
    00818E28  |.  8B4D FC       MOV ECX,DWORD PTR SS:[LOCAL.1]           ; |
    00818E2B  |.  E8 507DC0FF   CALL 00420B80                            ; \GDMO.00420B80
    00818E30  |.  8B4D 0C       MOV ECX,DWORD PTR SS:[ARG.2]
    00818E33  |.  51            PUSH ECX                                 ; /Arg1 => [ARG.2]
    00818E34  |.  8B4D FC       MOV ECX,DWORD PTR SS:[LOCAL.1]           ; |
    00818E37  |.  E8 1488C0FF   CALL 00421650                            ; \GDMO.00421650
    00818E3C  |.  68 18050000   PUSH 518                                 ; /Arg1 = 518
    00818E41  |.  8B4D FC       MOV ECX,DWORD PTR SS:[LOCAL.1]           ; |
    00818E44  |.  E8 9786C0FF   CALL 004214E0                            ; \GDMO.004214E0
    00818E49  |.  8B4D FC       MOV ECX,DWORD PTR SS:[LOCAL.1]
    00818E4C  |.  E8 0F81C0FF   CALL 00420F60                            ; [GDMO.00420F60
    00818E51  |.  8BE5          MOV ESP,EBP
    00818E53  |.  5D            POP EBP
    00818E54  \.  C2 0800       RETN 8
    Can you tell what the structure of the above packet is by looking at the dump?

    How about with this?
    Code:
    int __thiscall sub_818E10(void *this, char Src, wchar_t *Str)
    {
      void *v3; // ST04_4@1
    
      v3 = this;
      sub_421500((int)this, 1304);
      sub_420B80(Src);
      sub_421650(Str);
      sub_4214E0(v3, 1304);
      return sub_420F60(v3);
    }

    I know the structure of the above packet and code, it basically breaks down to this.
    Code:
    #pragma pack(push, 1)
    struct  MSG_REQUEST_CHAR_DELETE
    {          
        WORD pSize;       //Packet Size
        WORD pFunction;   //Packet Function
        DWORD cNumber;    //Character slot to delete
        BYTE nSize;       //Size of character name
        CHAR * cEmail;    //Email address to verify delete
        BYTE bPad;        //0x00 for padding
        WORD sWord;       //Security bytes for packet.
    };
    #pragma pack(pop)
    So I guess my final point is this, unless you are very intimate with the game in question, it is going to be difficult to do what you want, and my advice is to learn from the packets first and than perhaps eventually you will be able to spot them in ASM. I usually dump the packets first, than if I find one that interests me that I cannot figure out without looking at the ASM, I search for the opcode for the function and just debug it as it processes that particular packet.

    Sorry if this is not what you wanted, I am just trying to save you some time.

    //Edit

    This is a overly simplified example, the code above is now the complete code used to handle the deletion, it is simply the building of the packet. Prior steps include parsing the email entry and verifying the size etc. of it.

    - - - Updated - - -

    Also if you want, I can see about creating a system that will dump the packets for you in their decrypted form, assuming the game is still live.
    Last edited by dTantra; 15-04-16 at 06:19 PM.

  3. #18
    Member AcarX is offline
    MemberRank
    Aug 2015 Join Date
    79Posts

    Re: Reverse Engineering Packet Structures Through The Client?

    Thanks for the great answer. From what I understand there's no way around having to collect packet samples from an online server unless you're a beast at assembly which I am not. And considering my issue being having problems accessing certain packets I guess I'm in a pickle here.

    As for a system to dump packets, I've built a sniffer couple months back which does what I need it to do. Thanks for the suggestion though.

  4. #19
    Member dTantra is offline
    MemberRank
    Jul 2013 Join Date
    94Posts

    Re: Reverse Engineering Packet Structures Through The Client?

    Quote Originally Posted by AcarX View Post
    Thanks for the great answer. From what I understand there's no way around having to collect packet samples from an online server unless you're a beast at assembly which I am not. And considering my issue being having problems accessing certain packets I guess I'm in a pickle here.

    As for a system to dump packets, I've built a sniffer couple months back which does what I need it to do. Thanks for the suggestion though.
    No problem, I figured I would pass along the offer.

  5. #20
    only asm, only hardcore! lastfun is offline
    DeveloperRank
    Apr 2012 Join Date
    RussiaLocation
    422Posts

    Re: Reverse Engineering Packet Structures Through The Client?

    @AcarX @dTantra
    busy weekend, tomorrow we will continue..
    together - we will win)))

  6. #21
    Member AcarX is offline
    MemberRank
    Aug 2015 Join Date
    79Posts

    Re: Reverse Engineering Packet Structures Through The Client?

    Any time you want buddy I'm always here :)

  7. #22
    only asm, only hardcore! lastfun is offline
    DeveloperRank
    Apr 2012 Join Date
    RussiaLocation
    422Posts

    Re: Reverse Engineering Packet Structures Through The Client?

    encrypt function can be found here:

    result:

    function looks "terrible")))
    Code:
    int __stdcall sub_500B70(int a1, int *a2, unsigned int *a3)
    {
      int result; // eax@1
      unsigned int v4; // edx@1
      unsigned int v5; // ecx@1
      unsigned int v6; // edx@1
      unsigned int v7; // ecx@1
      unsigned int v8; // edx@1
      unsigned int v9; // ecx@1
      unsigned int v10; // edx@1
      unsigned int v11; // ecx@1
      unsigned int v12; // edx@1
      unsigned int v13; // ecx@1
      unsigned int v14; // edx@1
      unsigned int v15; // ecx@1
      unsigned int v16; // edx@1
      unsigned int v17; // ecx@1
      unsigned int v18; // edx@1
      unsigned int v19; // ecx@1
      int v20; // ebx@1
      unsigned __int8 v21; // bp@1
      int v22; // ecx@1
    
      result = a1;
      v4 = *a2 ^ *(a1 + 8);
      v5 = *a3 ^ *(a1 + 12) ^ (*(a1 + 4 * (*a2 ^ *(a1 + 8)) + 3152)
                             + (*(a1 + 4 * BYTE1(v4) + 2128) ^ (*(a1 + 4 * (v4 >> 24) + 80)
                                                              + *(a1 + 4 * ((v4 >> 16) & 0xFF) + 1104))));
      v6 = *(a1 + 16) ^ (*(a1
                         + 4
                         * (*a3 ^ *(a1 + 12) ^ (*(a1 + 4 * (*a2 ^ *(a1 + 8)) + 3152)
                                              + (*(a1 + 4 * BYTE1(v4) + 2128) ^ (*(a1 + 4 * (v4 >> 24) + 80)
                                                                               + *(a1 + 4 * ((v4 >> 16) & 0xFF) + 1104)))))
                         + 3152)
                       + (*(a1 + 4 * BYTE1(v5) + 2128) ^ (*(a1 + 4 * (v5 >> 24) + 80)
                                                        + *(a1 + 4 * ((v5 >> 16) & 0xFF) + 1104)))) ^ v4;
      v7 = *(a1 + 20) ^ (*(a1 + 4 * v6 + 3152)
                       + (*(a1 + 4 * BYTE1(v6) + 2128) ^ (*(a1 + 4 * (v6 >> 24) + 80)
                                                        + *(a1 + 4 * ((v6 >> 16) & 0xFF) + 1104)))) ^ v5;
      v8 = *(a1 + 24) ^ (*(a1 + 4 * v7 + 3152)
                       + (*(a1 + 4 * BYTE1(v7) + 2128) ^ (*(a1 + 4 * (v7 >> 24) + 80)
                                                        + *(a1 + 4 * ((v7 >> 16) & 0xFF) + 1104)))) ^ v6;
      v9 = *(a1 + 28) ^ (*(a1 + 4 * v8 + 3152)
                       + (*(a1 + 4 * BYTE1(v8) + 2128) ^ (*(a1 + 4 * (v8 >> 24) + 80)
                                                        + *(a1 + 4 * ((v8 >> 16) & 0xFF) + 1104)))) ^ v7;
      v10 = *(a1 + 32) ^ (*(a1 + 4 * v9 + 3152)
                        + (*(a1 + 4 * BYTE1(v9) + 2128) ^ (*(a1 + 4 * (v9 >> 24) + 80)
                                                         + *(a1 + 4 * ((v9 >> 16) & 0xFF) + 1104)))) ^ v8;
      v11 = *(a1 + 36) ^ (*(a1 + 4 * v10 + 3152)
                        + (*(a1 + 4 * BYTE1(v10) + 2128) ^ (*(a1 + 4 * (v10 >> 24) + 80)
                                                          + *(a1 + 4 * ((v10 >> 16) & 0xFF) + 1104)))) ^ v9;
      v12 = *(a1 + 40) ^ (*(a1 + 4 * v11 + 3152)
                        + (*(a1 + 4 * BYTE1(v11) + 2128) ^ (*(a1 + 4 * (v11 >> 24) + 80)
                                                          + *(a1 + 4 * ((v11 >> 16) & 0xFF) + 1104)))) ^ v10;
      v13 = *(a1 + 44) ^ (*(a1 + 4 * v12 + 3152)
                        + (*(a1 + 4 * BYTE1(v12) + 2128) ^ (*(a1 + 4 * (v12 >> 24) + 80)
                                                          + *(a1 + 4 * ((v12 >> 16) & 0xFF) + 1104)))) ^ v11;
      v14 = *(a1 + 48) ^ (*(a1 + 4 * v13 + 3152)
                        + (*(a1 + 4 * BYTE1(v13) + 2128) ^ (*(a1 + 4 * (v13 >> 24) + 80)
                                                          + *(a1 + 4 * ((v13 >> 16) & 0xFF) + 1104)))) ^ v12;
      v15 = *(a1 + 52) ^ (*(a1 + 4 * v14 + 3152)
                        + (*(a1 + 4 * BYTE1(v14) + 2128) ^ (*(a1 + 4 * (v14 >> 24) + 80)
                                                          + *(a1 + 4 * ((v14 >> 16) & 0xFF) + 1104)))) ^ v13;
      v16 = *(a1 + 56) ^ (*(a1 + 4 * v15 + 3152)
                        + (*(a1 + 4 * BYTE1(v15) + 2128) ^ (*(a1 + 4 * (v15 >> 24) + 80)
                                                          + *(a1 + 4 * ((v15 >> 16) & 0xFF) + 1104)))) ^ v14;
      v17 = *(a1 + 60) ^ (*(a1 + 4 * v16 + 3152)
                        + (*(a1 + 4 * BYTE1(v16) + 2128) ^ (*(a1 + 4 * (v16 >> 24) + 80)
                                                          + *(a1 + 4 * ((v16 >> 16) & 0xFF) + 1104)))) ^ v15;
      v18 = *(a1 + 64) ^ (*(a1 + 4 * v17 + 3152)
                        + (*(a1 + 4 * BYTE1(v17) + 2128) ^ (*(a1 + 4 * (v17 >> 24) + 80)
                                                          + *(a1 + 4 * ((v17 >> 16) & 0xFF) + 1104)))) ^ v16;
      v19 = *(a1 + 68) ^ (*(a1 + 4 * v18 + 3152)
                        + (*(a1 + 4 * BYTE1(v18) + 2128) ^ (*(a1 + 4 * (v18 >> 24) + 80)
                                                          + *(a1 + 4 * ((v18 >> 16) & 0xFF) + 1104)))) ^ v17;
      v20 = *(a1 + 4 * BYTE1(v19) + 2128) ^ (*(a1 + 4 * (v19 >> 24) + 80) + *(a1 + 4 * ((v19 >> 16) & 0xFF) + 1104));
      v21 = v19;
      v22 = *(a1 + 76) ^ v19;
      *a3 = *(a1 + 72) ^ (*(a1 + 4 * v21 + 3152) + v20) ^ v18;
      *a2 = v22;
      return result;
    }

  8. #23
    Member AcarX is offline
    MemberRank
    Aug 2015 Join Date
    79Posts

    Re: Reverse Engineering Packet Structures Through The Client?

    Spot on as always. I've translated those to C couple months back so I can save you the trouble.
    Crypto.h

  9. #24
    Account Upgraded | Title Enabled! jonnybravo is offline
    True MemberRank
    Sep 2006 Join Date
    764Posts

    Re: Reverse Engineering Packet Structures Through The Client?

    Yep that be it got the same thing its just a simple XOR over XOR.

    Was cracked back in 2007 i believe.

  10. #25
    YEy i has custom title^_^ zarut is offline
    True MemberRank
    Sep 2006 Join Date
    FinlandLocation
    537Posts

    Re: Reverse Engineering Packet Structures Through The Client?

    One way to analyze packets from client only is to hook the functions that write the bytes and makes the packet. This way you can basically just sniff the packet while being created and get the structure same time, however this wont tell you what all the bytes represent but it would speed up analyzing them as you dont have to figure the structure out yourself.
    Quote Originally Posted by Emogon;
    "strength....."
    "honor......"
    "wisdom...."
    "i see them in you...."
    "what brings you to my land of emos...?"

  11. #26
    Member AcarX is offline
    MemberRank
    Aug 2015 Join Date
    79Posts

    Re: Reverse Engineering Packet Structures Through The Client?

    Quote Originally Posted by zarut
    hook the functions that write the bytes and makes the packet
    Could you elaborate on that please? How would I accomplish this? From what I could gather in assembly most functions don't use a separate writing function. It's mostly like:

    Code:
    lea edx, [buffer_addr + offset]
    mov [edx], 5
    
    Incase my assembly isn't correct, here's what I mean in C:
    buffer[offset] = 5;

  12. #27
    YEy i has custom title^_^ zarut is offline
    True MemberRank
    Sep 2006 Join Date
    FinlandLocation
    537Posts

    Re: Reverse Engineering Packet Structures Through The Client?

    Quote Originally Posted by AcarX View Post
    Could you elaborate on that please? How would I accomplish this? From what I could gather in assembly most functions don't use a separate writing function. It's mostly like:

    Code:
    lea edx, [buffer_addr + offset]
    mov [edx], 5
    
    Incase my assembly isn't correct, here's what I mean in C:
    buffer[offset] = 5;
    Here is a tutorial how its accomplished in silkroad:
    https://github.com/florian0/swiftnes...ts-in-Silkroad
    Quote Originally Posted by Emogon;
    "strength....."
    "honor......"
    "wisdom...."
    "i see them in you...."
    "what brings you to my land of emos...?"



Page 2 of 2 FirstFirst 12

Advertisement